I noticed that you are not creating a server side nonce. Once a message is signed and gets intercepted, the attacker will forever be able to access the database as the intercepted user. Also every dapp that lets me sign a message can use this signature to act as me on every moralis service. So if i sign a message on pancake swap they can use my signature to login to my moralis profile on every moralis dapp. Atleast you should include the application id in the signed message. In this way only one database will be fully exposed.
how did you notice that a nonce is not created? asking because it is
i can just sign a random message and send http request to https://x67f0uwkfbsd.usemoralis.com:2053/server/users
with the following payload:
1. data: "Moralis Authentication\n\nId: LChJXJA8KmtR3ZoMrvaObUaBAeZ6NiAVt9WdYr70:1644476483423"
2. id: "0x92f6480...3d855f50e"
3. signature: "insert signed message here"
- _ApplicationId: “App Id”
- _ClientVersion: “js1.3.1”
- _InstallationId: “Installation Id”
Also i can choose the the sign message
that should not work, did you try it?
Yes i did. Here is a video (dont worry it’s not listed).
Yes you send back the server time to the client and let him sign the server time. But i can send any signed message i want! So every app or website that let’s me sign a message, can use this signature to attack all moralis dapps.
And there is not even the possibilty to prevent the attacker from accessing my data once i noticed my signature is beeing used. Because with the current implmentation my signature message pair will be valid for the eternity of time. So the only solution would be to delete my data and never use any moralis service again.
I think that I understand now what could be a possible problem here, if you change the message and also the signature at the same time.
Yes as you can see in the video, i just create some random message and sign it. This message signature pair can now be used to access the moralis database as the user. So if i sign any message on any website this pair can be used to access the database.
Thanks for reporting, I’ll get back when it is fixed.
No problem, happy to help
Can you try again now?
You are now enforcing the timestamp, great job! Works perfect.